Fail2Ban

Fail2ban est un logiciel génial, qui permet de sécuriser un peu plus votre serveur.

Comment ?

Il lit les logs de certains service et bannit les IP qui ont obtenu le plus grand nombre d’échec !

Nous sommes d’accord, que Dovecot votre serveur pop n’est pas sécurisé et n’est pas soumis à SASLAUTHD pour s’authentifier afin de récupérer vos mails.

Ayant des soucis pour appliquer SASLAUTH, je laisse mon serveur sans sécurité, enfin pas tout à fait.

Si, comme moi, vous avez remarqué des connexions intempestives comme ceci :

Mar 22 04:11:11 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=tester rhost=60.161.14.153

Mar 22 04:11:11 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user tester

Mar 22 04:11:17 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:11:17 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test rhost=60.161.14.153

Mar 22 04:11:17 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test

Mar 22 04:11:24 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:11:24 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test rhost=60.161.14.153

Mar 22 04:11:24 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test

Mar 22 04:11:30 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:11:30 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test rhost=60.161.14.153

Mar 22 04:11:30 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test

Mar 22 04:11:35 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:11:35 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test rhost=60.161.14.153

Mar 22 04:11:35 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test

Mar 22 04:11:40 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:11:40 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=office rhost=60.161.14.153

Mar 22 04:11:40 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user office

Mar 22 04:11:45 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:11:45 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=60.161.14.153

Mar 22 04:11:45 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user webmaster

Mar 22 04:11:50 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:11:50 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=postgres rhost=60.161.14.153

Mar 22 04:11:50 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user postgres

Mar 22 04:11:55 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:11:55 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=info rhost=60.161.14.153

Mar 22 04:11:55 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user info

Mar 22 04:12:00 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:12:00 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=sales rhost=60.161.14.153

Mar 22 04:12:00 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user sales

Mar 22 04:12:05 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Mar 22 04:12:05 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=spam rhost=60.161.14.153

Mar 22 04:12:05 samn0 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user spam

Mar 22 04:12:11 samn0 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown

Fail2Ban est fait pour vous !

C’est assez chiant ces robots ? Nous avons son adresse IP, il suffirait de l’interdire dans IPTABLES. Mais si quelque chose peut le faire automatiquement à notre place pourquoi s’en priver ?

C’est là qu’intervient Fail2ban.

# yum install fail2ban

Dans Fail2ban, il y un fichier de conf et des filtres. Les filtres par défaut pour les services Apache et Ssh n’ont pas besoin d’être modifiés. Nous devrons créer un filtre pour Dovecot.

CONFIGURATION

Editez le fichier de conf de Fail2ban.

# nano /etc/fail2ban/jail.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# « ignoreip » can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.0.240/28

# « bantime » is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated « maxretry » during the last « findtime »
# seconds.
findtime = 600

# « maxretry » is the number of failures before a host get banned.
maxretry = 3

# « backend » specifies the backend used to get files modification. Available
# options are « gamin », « polling » and « auto ». This option can be overridden in
# each jail too (use « gamin » for a jail and « polling » for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto

# This jail corresponds to the standard configuration in Fail2ban 0.6.

# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 5

[dovecot-iptables]

enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=DOVECOT, dest=root, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 5

[proftpd-iptables]

enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you@mail.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6

# This jail forces the backend to « polling ».

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=dovecot, port=pop, protocol=tcp]

sendmail-whois[name=dovecot, dest=root@samn0.fr]
logpath = /var/log/maillog

# Here we use TCP-Wrappers instead of Netfilter/Iptables. « ignoreregex » is
# used to avoid banning the user « myuser ».

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath = /var/log/sshd.log

# This jail demonstrates the use of wildcards in « logpath ».
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6

# The hosts.deny path can be defined with the « file » argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/postfix.log
bantime = 300

# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=root@samn0.fr]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=root@samn0.fr]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled = false
filter = apache-noscript
action = shorewall
sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/apache2/error_log

# Ban attackers that try to use PHP’s URL-fopen() functionality
# through GET/POST variables. – Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
# ALERT â tried to register forbidden variable âGLOBALSâ
# through GET variables (attacker ’1.2.3.4′, file ‘/var/www/default/htdocs/index.php’)
# This jail would block the IP 1.2.3.4.

[lighttpd-fastcgi]

enabled = false
port = http,https
filter = lighttpd-fastcgi
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The « ignoreip »
# option is overridden in this jail. Moreover, the action « mail-whois » defines
# the variable « name » which contains a comma using « ». The characters » are
# valid too.

[ssh-ipfw]

enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file « /var/log/named/security.log » versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.

[named-refused-udp]

enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/security.log

ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1

Le fichier de conf n’est pas si sorcier que cela, décryptage !

Moi j’ai besoin de 3 filtres, SSH, VSFTPD et DOVECOT

Ligne 16 : Ignore IP, indiquer là les IP que vous désirez ignorer, comme votre réseau local ou l’IP de votre boulot.

Règle SSH

Ligne 45 : Pour activer le filtre SSH, il faut mettre enable
Ligne 46 : Le nom du filtre, qui se trouve dans /etc/fail2ban/filter.d/
Ligne 47 : Action. L’action que vous désirez mettre en place. Il faut le nom (qui apparait dans les logs), port de connexion, protocole de connexion
Ligne 48 : sendmail-whois : Ici mettez l’expéditeur des mails et le destinataire. Quand Fail2ban va filtrer une IP il vous l’indiquera par mail
Ligne 49 : Le path (chemin) du log en question, SSH par défaut se trouve dans /var/log/secure

Règle DOVECOT

Il faut la créer comme ceci :

[dovecot-iptables]

enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=DOVECOT, dest=root, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 5

Règle VSFTPD

Elle se trouve ligne 131.

[vsftpd-iptables]

enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=root@samn0.fr]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

Faites un CTRL + O, puis CTRL + X

Comme je vous l’ai indiqué seule le filtre DOVECOT est à créer, les filtres SSH et VSFTPD sont déjà créés et fonctionnels !

Filtre DOVECOT

# nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
# Fail2Ban configuration file

#

# Author: SamUEL

#

[Definition]

# Option: failregex

# Notes.: regex to match the password failures messages in the logfile. The

# host must be matched by a group named .host.. The tag .. can

# be used for standard IP/hostname matching and is only an alias for

# (?:::f{4,6}:)?(?P\S+)

# Values: TEXT

#

failregex = .*dovecot:auth.*pam.*:.*pop3-login.*pam_authenticate.* failed.*auth failed.*authentication failure$

.*postfix/cleanup.*milter-reject: END-OF-MESSAGE.*\[\].*Blocked by SpamAssassin.*$

# Option: ignoreregex

# Notes.: regex to ignore. If this regex matches, the line is ignored.

# Values: TEXT

#

ignoreregex =

En fait dans le filtre, nous mettons les mots clés issus des fichiers de log. Souvenez-vous du robot de ce début de chapitre.

Mar 22 04:11:11 samn0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=tester rhost=60.161.14.153

Nous avons comme mot clé : Dovecot, dovecot:auth, authentication failure…

Dans la ligne 25 nous mettons :

.*dovecot:auth.*pam.*:.*pop3-login.*pam_authenticate.* failed.*auth failed.*authentication failure$

Ceux sont les mots clés de base pour les logs Dovecot.

Faites un CTRL + O puis CTRL + X.

Sur ce fichier, il faut que le propriétaire soit root et le groupe aussi soir root. Côté droit il faut 644 en octal, soit -rw-r–r–

Nous allons démarrer le service Fail2ban.

# service fail2ban start
Démarrage de fail2ban : [ OK ]

Pour vérifier que Fail2ban fonctionne bien, nous allons taper cette commande :

# iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-dovecot-pop3imap tcp — anywhere anywhere multiport dports pop3,pop3s,imap,imaps

Chain fail2ban-SSH (0 references)
target prot opt source destination
RETURN all — anywhere anywhere

Chain fail2ban-VSFTPD (0 references)
target prot opt source destination
RETURN all — anywhere anywhere

Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination

Avec cette commande, on liste toutes les chaînes sélectionnées dans IPTABLES. Donc nous voyons bien que Fail2ban intervient dans la chaîne…
Donc nous avons bien bosser !

Chouette ces petits pirates seront stoppés

CONFIGURATION

Règle SSH

Règle DOVECOT

Règle VSFTPD

Filtre DOVECOT

Quelle est ton IP ?

Translator

Par ici vos réponses !

Qui est là ?

Culture pub 2

Culture Pub

Fail2Ban

CONFIGURATION

Règle SSH

Règle DOVECOT

Règle VSFTPD

Filtre DOVECOT

Quelle est ton IP ?

Translator

Nuage de mot clé(Show All)

Par ici vos réponses !

Qui est là ?

Culture pub 2

Follow Me !

Culture Pub